On Tue, 2011-02-01 at 09:07 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > 2) In delegation.ldif: ipapermission object class is missing for
> > removeentitlements and modifyentitlements (it has been added for
> > addentitlements though)
> 
> This was on purpose, I should have been clearer. Patch 664 makes major 
> changes to these and I'm trying to make the merge easier. I'll fix them 
> up when 664 gets pushed.

I thought so. I was confused by addentitlements permission which
objectclass was updated. We just have to make sure, that the
entitlements patch includes this new objectClass.

> 
> >
> >
> > QUESTION:
> > In this patch you add READONLY flag to Replica permissions. However it
> > is not actually used and stays as just an informative flag. It won't
> > prevent user from modifying/removing READONLY permissions.
> >
> > I guess enhancing permission-mod and permission-del of READONLY check
> > will be a subject of another ticket?
> 
> Ok, interesting point. I considered the aci itself to be read-only. The 
> only thing a user could do is rename the permission, right? I think that 
> would maintain consistency so it shouldn't be a problem. It would 
> probably be easy to really make these read-only but that would have a UI 
> impact as well, perhaps a problematic one. I suppose if they could 
> handle any read-only exceptions we'd raise that would be adequate.
> 
> rob

Yes, user could rename or delete permission. In both cases it won't have
any effect to the ACI as ACI plugin does not see it. But I think it
would be nice to prevent modifications to these permissions when we have
this new and shiny READONLY flag. Read-only exception may be a way to
achieve this...

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to